Select individual characters from password

[ithinkiam]

I've been using enpass for several months now, after being a long time KeepassX user and I love it!

One feature that would be great to have is a way to select specific characters from a password. More and more websites only ask for individual characters from your password so it's not possible to autofill. The only way to do it is to reveal the password and count the characters. It means I have to use shorter passwords as finding the 15th, 43rd and 63rd characters would be extremely annoying!

A simple way may be to have a dialogue with the password hidden yet each character is numbered above or below. Selecting/clicking the desired number(s) reveals the password character(s) in order to manually input to the webform.

Would something like this be feasible?

Thanks.

[Anshu kumar]

Hi @ithinkiam,

Thanks for your suggestion. Our development team is working on similar feature called "subset of Password", which will fulfill your requirement and will be available in near future.

Cheers!

[My1]

On 10.9.2016 at 0:15 PM, ithinkiam said:

More and more websites only ask for individual characters from your password so it's not possible to autofill

you have some examples? because I never saw websites like that, and I REALLY think that these websites should be avoided because being able to ask for specific chars of the PW almost certainly means plaintext (or plaintext retrievable, e.g. plain encrypted) storage.

[ithinkiam]

Hi @my1

It's mostly financial websites that do this (banks, credit card, etc). I also had this when calling up my ISP recently. 

[ithinkiam]

On 9/12/2016 at 11:00 AM, Anshu kumar said:

Hi @ithinkiam,

Thanks for your suggestion. Our development team is working on similar feature called "subset of Password", which will fulfill your requirement and will be available in near future.

Cheers!

That's great to hear. Looking forward to it.

[My1]

18 hours ago, ithinkiam said:

Hi @my1

It's mostly financial websites that do this (banks, credit card, etc). I also had this when calling up my ISP recently. 

well my bank never does this, and I am happy about it.

 

especially because if they ask for specific characters of the password there are only 2 ways of doing it.

1) do it after you entered your password (plaintextpw may still be in ram or whatever, I sure hope it's probably wiped afterwards)

2) store the password in a retrievable form. which is OBVIOUSLY bad because a machine-retrievable password means that as soon as someone gets access to the machine, you can screw any last security measure that prevents bruteforcing, because the machine needs the PLAINTEXT pass to probe certain chars. and if the machine itself can access teh passwords even if they are encrypted that means that the machine has access to that key, which obviously means that an attacker can as soon as he is in the server near-effortlessly access ALL PASSWORDS IN PLAINTEXT!

If I were you I would seriously ask that provider to talk about how they store the passwords, because if it is scenario 2 where you dont enter your full pass but the subset only they are literally just asking for trouble. this is even worse than the Yahoo hack which had md5 for passwords which is albeit not really secure, at least needs the attacker to bruteforce or rainbowtable it, but in scenario 2 the attacker gets the PLAINTEXT passwords literally served on the silver tablet (at least that's how we would say it in german, dunno if that works in english).